/operate/ - Endchan Operations

Let us know what's up


New Reply on thread #4983
X
Max 20 files0 B total
[New Reply]

[Index] [Catalog] [Banners] [Logs]
Posting mode: Reply [Return]


I had a development server breached that I had an old development copy of the Endchan database (without media). 

All users are advised to change their passwords ASAP.

Development server was breached used an redis/ssh exploit. Redis was installed and usually ran as a user but recently doing some development work, I accidentally started it up as root to look something up and left it running. Redis then can write to your ssh keys and insert unwanted keys and allow root access. All files in /root and /home were removed and a note was left:

> Hi, please view here: http://pastebin.com/raw/vadfLyDS for information on how to obtain your files!

Luckily I have bandwidth logs on that box and I can see there was nothing transferred out of the box. So my guess is they just deleted the files. The nature in which they left the machine leads me to believe this was an automated attack (plenty of other meaningful data directories were left alone). 

The copy of Endchan's data is left untouched on this development server. However the dump that was used to transfer the copy was still likely in the /root directory that was deleted. I will get the date of the data copy as soon as I can do some data recovery on that machine, I estimated the copy to be an early 2016 Q2 dump. This server is now offline.

At Endchan, we want to be as transparent as we possibly can and even though we do not believe anything was leaked, we cannot rule out nothing happen with 100%. And even if we could be certain that nothing was at risk, we still want to report anything of this nature to our users.

I fucked up, I'm sorry for any troubles this may and has caused any of you.

Please let us know any questions you may have.


thumbnail of Dude Sex hacking.gif
thumbnail of Dude Sex hacking.gif
Dude Sex hacking gif
(3.6 MB, 320x180)
 >>/4992/
 >>/4993/
This wasn't our web server. This was OdiliTime's personal server that OdiliTime happened to have transferred a  backup to while we were doing maintenance on the endchan server just in case something went wrong. SSL or a lack thereof wasn't involved.

In any case, we got lucky and I've made sure to rip OdiliTime a new asshole over this shit. I'm guessing that the attack was either a scam by a script kiddie or a greyhat trying to spook people into securing their shit. Like OdiliTime said, nothing was uploaded, so the odds strongly favor no DB leak occurring. The notification to change your passwords is more out of paranoia (e.g. some crazy NSA shit transmitting the data offsite without the transmission being logged by the external monitoring equipment; not likely) than anything else.

In other words, shit got fucked up, but odds are it'll be fine.


Why is/was your development/test server accessible online? Can't keep  >>/4986/ over this mishap. Could you check the logs if a mod volunteer like  >>/pol/23993/ was in the logs of potential account takeovers?
 >>/4998/
> crazy NSA shit transmitting the data offsite without the transmission being logged by the external monitoring equipment; not likely) than anything else.

Highly possible with state actor attacks we've seen as of late. 

Leaking PizzaGate really did a number, worldwide.
 >>/5016/
You do still have a copy of that old DB, right?

 >>/5343/
> Why is/was your development/test server accessible online?
because we needed public testers. 

> Could you check the logs if a mod volunteer like  >>/pol/23993/ was in the logs of potential account takeovers
Not sure how to figure that out, let me talk with Lynx.

> You do still have a copy of that old DB, right?
No I don't.

 >>/5344/
Then make a mock test site, not a duplicate, yesh.
> No I don't.

This is bad. M8, when you can, study up on Sysadmin. Rule 37 of "After an attack" is to keep an archive of the exploit. You want to retrospect on how malicious attacks are growing, so you proactively scope those vulnerabilities.

 >>/5428/
As long as you archive and properly mock the test server from hither on, you will form a basis to document changes dependent on the master branch. Usually it is cheaper to VPN the server in a locked virtual environment, so you see a full scope of the system. Vulnerabilities are getting scarier and efficient, thanks in part to manufacturers leaving vulnerabilities in the hardware/UEFI/BIOS/firmware. Right now, the biggest threat are GPUs with DMA and their undocumentation: enormous processing power that when clustered, can replicate innumerable vulnerabilities in one machine before the next cycle hits the CPU to address the bus.



And this is why I always backup all my files OFFLINE, routinely. People who run imageboards should be doing the same.

So, here's the question. Can I re-upload any of my files that are now dead within the server!?

 >>/9059/
Apparently not yet unless you adjust images by a pixel, one letter for .pdf and any text file edits, or videos trimmed by a millisecond. New names for all. The corrupted old caches? Hashes? They really need to be purged somehow.

 >>/9060/
I am not tech savvy enough to do all that with my media files, so until the site owner purges the junk caches I won't be posting any media format other than some basic memes. This sucks for me because I contributed a ton of videos to /spoon/ a couple months back. Real good stuff and a lot of time uploading completely wasted. I'll be reposting elsewhere when I find a reputable hosting source.


 >>/9074/
Thank you. Let us know when this gets finished and when we can fix these issues. I would gladly re-upload all my video content (all very informative videos) as I have offline backups. Looking forward to this problem being fixed.






Post(s) action:


Moderation Help
Scope:
Duration: Days

Ban Type:


19 replies | 1 file
New Reply on thread #4983
Max 20 files0 B total